Identify Data Staging and Pre-Exfiltration Patterns

Actions

1. 1

   Hunt for compressed-archive creation in user-writable locations within the baseline deviation window: .zip, .rar, .7z, .tar, .tgz, encrypted archives with high entropy file sizes.

2. 2

   Hunt for unusual USB-device insertion and file-copy-to-removable patterns (Windows Event Log 20001/20003, Sysmon 8, EDR removable-media events).

3. 3

   Hunt for consumer cloud-sync folders on corporate devices: Dropbox, OneDrive-personal, iCloud Drive, Google Drive-personal, Box-personal; these bypass corporate DLP.

4. 4

   Hunt for unusual print activity (print spooler audit) -- printing is a commonly under-monitored exfiltration channel.

5. 5

   Hunt for Teams/Slack/WeChat screenshots that include sensitive content; screen captures often bypass DLP that only inspects email/web uploads.

6. 6

   For M365/Google Workspace: hunt for mass download to personal OneDrive/Google Drive, SharePoint site export, Teams file download spikes.

Queries

DeviceFileEvents | where Timestamp > ago(30d) | where InitiatingProcessAccountName =~ "<subject>" | where FileName endswith_any (".zip",".rar",".7z",".tar",".tgz",".gz",".bz2") | where FolderPath has_any ("\\Users\\","/Users/","/home/") | summarize count() by DeviceName, FolderPath

DeviceEvents | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" | where InitiatingProcessAccountName =~ "<subject>" | project Timestamp, DeviceName, ActionType, AdditionalFields

CloudAppEvents | where Timestamp > ago(30d) | where AccountObjectId =~ "<subject-oid>" | where ActionType has_any ("FileDownloaded","FileUploadedToCloud") | summarize cnt=count(), gb=sum(toreal(tostring(RawEventData.FileSize))/1073741824) by bin(Timestamp, 1d), Application

Notes

Where to Go Next

Related Resources